VICEROY: GDPR-/CCPA-compliant Enforcement of Verifiable Accountless Consumer Requests
In 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, California, USA, 27 February 2023 - 3 March 2023, 2023
Data regulation laws such as GDPR and CCPA provide consumers (or data subjects) with rights to request data operations such as access, modification, or deletion of their collected data. Authenticating consumers is crucial when conducting this operation, as such data can be privacy-sensitive. This is straight forward for consumers with accounts, as they simply provide authenticate by logging into their account. Such data regulation laws also require the same right to be provided to accountless consumers. However, authenticating such consumers have been adhoc, insecure, and privacy-invasive. In this work, we present VICEROY, a first-of-its-kind protocol that allows accountless consumers to authenticate themselves securely, privately, and in scale. We prove the security of VICEROY via Tamarin prover and its scalability through extensive evaluation.